Attacking Android Applications

  • View

  • Download

Embed Size (px)


How to attack Android Apps

Text of Attacking Android Applications

  • Android Mobile Application Hacking

    Erez Metula , Application Security Expert

    AppSec Labs (Founder)

    OWASP IL 2012

  • About me

    Founder of AppSec Labs

    Application security expert

    Book author

    Managed Code Rootkits (Syngress)

    Speaker & Trainer Presented at BlackHat, Defcon, RSA, OWASP, etc..

    Secure Coding / Hacking trainer

  • About AppSec Labs

    Expert application security company focusing mainly on Web & Mobile apps

    Cutting edge application security services Penetration testing

    Training Developers, IT

    Consulting Secure coding

    Provider of cloud based application security training

  • Agenda

    Introduction to mobile security

    Android PT workspace

    Common Mistakes & Attack Vectors

    AppUseVM for mobile PenTesting

  • We are more connected than ever

  • Mobile device growth some facts

    80% of the world have a mobile device

    Some countries have more devices than people

    Some countries have more devices than toilets

    Example - India

  • What makes mobile application security so different? Different threat model

    Some vulns stayed the same - sqli, xss, authz

    New vulns related to client side attacks such as other app attacking our app !

    Different tools required for pentesting

    No more mostly all I need is a proxy

    Different skills for pentesters

    Reversing is a key factor

    Lack of (mature) security tools

  • Challenges for performing Android PT

    Tools many micro tools Knowledge lots of things to know Complexity multiple steps are involved even for simple operations Static Analysis - Extract application from device, Reverse Engineering , Explore file system deployment, Locating secrets in code/config files, Disassembly, Patching

    Dynamic Analysis - Debug the running app, Analyze memory dumps, Analyze network traffic, Analyze remote services, Manipulate network traffic

  • Until we created AppUse..

  • AppUse

    Formal definition:

    Android Pen-test Platform Unified Standalone Environment

    Informal definition:

    App + Abuse = AppUse

    In short - Open source Linux VM loaded with everything needed for Android application PT (custom emulator, tools, IDE, practice apps, etc.)


  • DEMO information gathering with AppUse







  • Intro to Android Linux OS security

    Android was designed from the ground up with a strong security model (the sandbox)

    Each app runs in its own Linux process with its own UID by default.

    Each app runs as a separate user

    Each app runs in a separate process

    Each app runs with different permissions

    Each app has its own DB

    Applications are signed with the developers key

  • So what are the vulnerabilities were after?

  • Server side (old school) vulnerabilities

    Nothing new here look for server side vulns such as sqli, xss, auth, authz, etc

    Not related at all to Android

    Redirect the phones request to a proxy and manipulate with it

    Can be tricky apps dont like proxy certs

    You need to push the proxys into the phone

  • Unprotected communication

    Another old school..

    Not using any transport encryption such as SSL..

    No encryption

    No server side authentication

  • Insecure file system permissions

    Writing files with poor permissions

    Files on /data/data/APP/ with everyone read

    Files stored on SDcard (no permissions !!)

    Allows AppA to steal files from AppB

    Example - Skype

  • Insecure file system storage

    Storing sensitive data by the app


    Encryption keys

    Credit cards

    Even if the app does restrict access (as opposed to previous slide), its still a problem

    Device can get lost

    Device can be stoled

  • Phone identifiers used in authentication

    Binding some phone identifier (usually the IMEI) as a unique identifier to network requests.

    Served as kind of a cookie

    IMEI is often tied to PII

  • Intents - Androids IPC mechanism

  • Unprotected Broadcast Receivers

    Similar to web forceful browsing

    Applications use broadcast receiver components to receive intent messages.

    If the receiver is not protected by a permission, a malicious application can forge messages.

    Victims side:

  • DEMO unprotected content provider Similar to broadcast receiver, but this time the focus is data rather than functionality

    DEMO - Dropbox

  • Leaking Information via unsafe broadcasts any application can receive intent broadcasts that

    do not specify the target component

    protect the broadcast with a permission

    Can lead to exposure of sensitive information by malicious apps

  • Leaking Information to Logs Android provides centralized logging API

    Private information is often written to logs

    Location, Phone identified, Passwords, CC, etc.

    Any app with the READ_LOGS perm can read from it

    Example taken from recent PT:

    DEMO Logcat (webgoat login)

  • Intent DoS

    Android applications frequently process intents received from other applications.

    Many times theres no input validation, which can DoS the service

    Example - null checks on IPC input

    Null dereferences cause an application to crash, and can thus be used to as a DoS

  • Local SQL Injections

    Different attack vector than regular sqli !!

    In regular sqli the client is the attackr

    In mobile sqli the client is the victim

  • Unauthorized access to paid-for resources wallet, SMS, phone calls, NFC

    Apps with privileged access to such APIs can abuse and/or be abused

  • Advanced usage of Android Rootkits

    Android rootkits - Modify the Android device! Rootkit like technique (as described in my book Managed Code Rootkits) to alter the behavior of the dalvikVM

    Affects ALL applications without touching the APK

    Replace internal Android VM internal parts of code to Create a pentester friendly environment Disable security mechanisms (ex: SSL checks)

    Hook into important functions

    Change return values, parameters, etc.

    Get notification when specific function is called

    Break on function execution

    DEMO NFC breakpoint

  • Summary

    Mobile app security is more important than ever

    Mobile App PT requires different skills & toolsthan traditional Web App PT

    Dont reinvent the wheel. Use AppUse for your mobile PenTesting (new version soon!!!)

    We provide mobile app security hands-on training


    Secure coding